chapter 7 cyber threats - uml.edufaculty.uml.edu/gary_gordon/teaching/documents/... · robert...
TRANSCRIPT
CRIM 3460 Introduction to Critical Infrastructure Protection Spring 2015
Chapter 7 – Cyber Threats
School of Criminology and Justice Studies University of Massachusetts Lowell
Tim Wu of Colombia University coined the term in 2003
It is the principle that all data on the internet be treated equally, not discriminating or charging differentially
FCC net neutrality rules Designed to make sure ISPs treat all legal content equally
The internet is too important to let the broadband companies make the rules
Essentially classifies the internet as a utility
Bill in Congress that would roll back the FCC rules The rules shall have no force or effect
FCC may not reissue or issue a new rule until after the enactment of this Act.
Highly unregulated industry Self-organizing system
Lacks regulatory controls on its use
Scale-free as it has major hubs Telecom Hotels are the #1 Risk
Tier-1 ISPs may be the #2 Risk
Extremely vulnerable to global threats Originally designed for robustness, but not security
Forming basis of 21st Century economy High penalty for doing it wrong!
Flaws in TCP/IP Viruses and worms travel via vectors
Software flaws are the first and foremost vectors
Most prominent vector; shows how TCP/IP can be exploited
Open ports Access doors to computer, let data in and out, even worms
Others (most popular exploits) Buffer overflow (operating systems can be exploited)
Email and email attachments
Miscellaneous flaws in software
SYN Flooding is a form of DOS
Attacker sends a series of SYN requests to a target system; tries to consume server space; make system unresponsive
Normally a SYN is paired with an ACK on System B, but if it never comes, the system crashes
Figure 7.1a in Text
Normal connection between a user and a server; three-way handshake is correctly performed.
Attacker sends packets minus sending ACK back to the server. Connections half-opened and consume server resources. Legitimate user tries to connect, but server refuses.
Source: Wikipedia
DOS on the White House website on 10/21/02
Via Code Red worm/virus and works as follows:
o Worm enters the target computer through its port 80
o Infects the MS internet Information server software
o Randomly copies itself onto other targets for 20 days
o Dormant until a certain date, when copies are activated
o Millions of distributed copies flood White House server
White House changed Server DNS address redirecting www.whitehouse.gov to another server
Exploit bypasses computer access control Fools the OS into thinking an incoming virus is data
If the buffer area is overflowed and accidentally changes the return address, it can take control of the computer
Control passes to the virus, instead of the user or OS
Trial and error to get the correct buffer size; many attempts
Figure 7.2a in Text
Virus has guessed the right size of the buffer
Tricks OS into passing control to the virus, instead of the authorized user
Exploiter discovers how to penetrate OS protection
Virus is free to do whatever it wants
Figure 7.2b in Text
The exploiter pre-loads unsuspecting zombies prior to a massive DDOS
Phase I: Spread the worm via ports
Figure 7.3a in Text
At a preset time, the zombies launch multiple DOS attacks against a target.
Phase II: Attack the target via its ports
Figure 7.3b in Text
Figure 7.3b in Text
Figure 7.3b in Text
Code Red in July 2001
Clear source and destination addresses lead to: 200K infected North American computers
400-700K computers worldwide
Interdependent with banking Stalled largest ATM network
Total cost is unknown
Who were the perpetrators? Unknown
February 2000 strikes on most popular (hubs) of WWW: Amazon.com Inc. Buy.com Inc. CNN.com eBay Inc. E-Trade.com Yahoo Inc. ZDNet
Canadian teenager created an army of zombie computers to flood the web servers forcing them to shut down for hours
Estimated $1.7B in lost revenues Fined $250 and 8-months in jail.
Robert Tappan Morris First virus 1988; fined $10,000, 3yrs probation Founded and sold ViaWeb to Yahoo in 1995 for $48M MIT Professor today
Jonathan James First hacker to serve prison time (6-months) for hacking Hacked into NASA and DOD computers Claimed NASA software was crappy
Adrian Lamo – aka the homeless hacker Broke into banks, newspapers and MS from coffee shops Works for a security company in California; exposed WikiLeaks violation
Kevin Mitnik Served 5 years, 8 months in jail Subject of two movies and several TV programs; wrote 2 best-sellers.
Stuxnet is a computer worm designed to attack industrial programmable logic controllers
July – October 2010: Appears to target a particular power control system (i.e. Iran’s nuclear
facility) Transferred from a thumb drive to a Windows computer (infected
45,000 computers) Level of sophistication suggests it is made by a government
(Speculation: source is US or Israeli or both) No widespread damage so far (Speculation: Targeted Iran’s centrifuges)
SCADA attacks impact on critical infrastructure?
U.S. Military: President Bush; first U.S. President to approve of the use of
offensive cyber exploits in Iraq as part of 2007 surge Gen Petraeus to Congress; “This war is not only being
fought on the ground in Iraq but also in cyberspace”
Russia-Georgia conflict of 2008 Russian intervention in South Ossetia was augmented by
DOS attacks on Georgian telecom Unknown as to Russian military or “black hats”
Botnets and Botherders Botnet: invisible network of viruses overlaid on the net Botnets are under control of a botherder (remote control) Target and purpose not known Mostly spam servers
Rustock Flyman runs Russian Business Network in St. Petersberg Botherds 1.6 – 2.4M zombies
Zeus Largest known botnet in USA: 3.6M zombies [2009].
Typical fault tree of threat-asset pairs
Figure 7.4 in Text
Values used to analyze the general fault tree
Table 7.1 in Text
Typical ROI analysis of fault tree of threat-asset pairs
Figure 7.5 in Text
Probability of infection vs. recent threats/exploits Risk = EP x C EP = Infectiousness C = Consequence
Black Swan; what if the entire Internet fails?
Source: U.S. Department of Commerce. Table 8. Value of Physical Capital Destroyed by Natural Disasters. Cashell, Jackson, Jickling, and Webel, The Economic Impact of Cyber-Attacks, April 1, 2004
Simple Counter-Measures are Effective Anti-viral/anti-spyware software Intrusion detection systems Firewalls VPN Encryption
Source:14th Annual CSI Computer Crime and Security Survey, December 2009
Einstein Project* Monitor and report internet activity via Internet Control
Message Protocol (ICMP) PASSIVE Intrusion detection by collecting network traffic flow data in
real time and analyzing content looking for malicious codes (i.e. e-mail attachments) INTRUSIVE
Countermeasures by shooting down an attack before it hits its target; potentially an invasion of privacy OFFENSIVE
*E-Government Act of 2002 (created a classified program designed to protect government IT systems)
A Simple Anti-Viral Counter-Measure Fight fire with fire; launch anti-virus that destroys viruses o Dabber (2004) is believed to be the first worm that spread
by targeting a flaw in another worm's code - Sasser. o Dabber-like “anti-viruses” might be used to destroy other
viruses and provide a low-cost countermeasure
Issues: Legality Liability
Wider adoption of existing technology Ipv.6, HTTPS, VPNs Strong firewalls (on desktop/laptops) What about tablets
and iPads? Broader use of PKI/Certificates
Counter-measures Anti-virus virus A safer Dabber? Regulation Penalties
Cyber Risk: Reality or Hype? Risk = Threat x Vulnerability x Consequence or
Risk = EP x Consequence
Counter Hype: Nobody has died from a cyber attack Consequences may be inflated Risk appears to be decreasing
Reality: “Cyber Pearl Harbor” hasn’t happened yet, but it could Dependency on computers still growing Attacks getting smarter, but… Consequence trend is downward
Regulation 1996 Telecom Act changes o Harden or reduce size of telecom hotels (hubs) o Incentives for security (higher security standards)
Copy water sector policies “Large” ISPs (>3300) subject to: o Temporal passwords o Require SSL/HTTPS or even VPNs on all transactions o PII loss fines
Privacy and Civil Liberties Wiretapping concerns Abuses